When was the last time you paid to read a piece of content on the Web?

Most likely, it’s been a while. The users of the Web have become used to the idea that Web content is (more or less) free. And outside of sites that put paywalls up, that indeed appears to be the case.

But is the Web really free?

I’ve had lots of conversations lately about personal privacy, cookies, tracking, and “getting scroogled“. Some with technical colleagues, some with non-technical friends. The common thread is that most people (that world full of normal people, not the world that many of my technical readers likely live in) have no idea what sort of information they give up when they use the Web. They have no idea what kind of personal information they’re sharing when they click <accept> on that new mobile app that wants to upload their (Exif geo-encoded) photos, that wants to track their position, or wants to harmlessly upload their phone’s address book to help “make their app experience better”.

My day job involves me understanding technology at a pretty deep level, being pretty familiar with licensing terms, and previous lives have made me deeply immersed in the world of both privacy and security. As a result, it terrifies me to see the crap that typical users will click past in a licensing agreement to get to the dancing pigs. But Pavlov proved this all long ago, and the dancing pigs problem has highlighted this for years, to no avail. Click through software licenses exist primarily as a legal CYA, and terms of service agreements full of legalese gibberish could just as well say that people have to eat a sock if they agree to the terms – they’ll still agree to them (because they won’t read them).

I responded to the first post with the statement that accurate search results have intrinsic value to users, but most users can’t actually quantify a loss of privacy. What did I mean by that? I mean that most normal people will tell you they value their privacy if you ask them, but if you take away the free niblets all over the Web that they get for giving up their privacy little by little, they’ll actually renege on how important privacy really is.

Imagine the response if you told a friend, family member, or colleague that you had a report/blog/study you were working on, and asked them, “Hey, I’m going to shoulder-surf you for a day and write down which Websites you visit, how often and how long you visit them, and who you send email to, okay?” In most cases, they’d tell you no, or tell you that you’re being weird.

Then ask them how much you’d need to pay them in order for them to let you shoulder-surf. Now they’ll be creeped out.

Finally, tell them you installed software on their computer last week, so you’ve already got the data you need, is it okay if you use that for your report. Now they’re going to probably completely overreact, and maybe even get angry (so tell them you were kidding).

More than two years ago, I discussed why do-not-track would stall out and die, and in fact, it has. This was completely predictable, and I would have been completely shocked if this hadn’t happened. It’s because there is one thing that makes the Web work at all. It’s the cycle of micropayments of personally identifiable information (PII) that, in appropriate quantities, allow advertisers (and advertising companies) to tune their advertising. In short, everything you do is up for grabs on the Web to help profile you (and ideally, sell you something). Some might argue that you searching for “schnauzer sweaters” isn’t PII. The NSA would beg to differ. Metadata is just as valuable, if not more, than data itself, to uniquely identify an individual.

When Facebook tweaked privacy settings to begin “liberating” personal information, it was all about tuning advertising. When we search using Google (or Bing, or Yahoo), we’re explicitly profiling ourselves for advertisers. The free Web as we know it is sort of a mirage. The content appears free, but isn’t. Back in the late 1990’s, the idea of micropayments was thrown about, and has in my opinion come and gone. But it is far from dead. It just never arrived in the form that people expected. Early on, the idea was that individuals might pay a dollar here for a news story, a few dollars there for a video, a penny to send an email, etc. Personally, I never saw that idea actually taking off, primarily because the epayment infrastructure wasn’t really there, and partially because, well, consumers are cheap and won’t pay for almost anything.

In 1997, Nathan Myhrvold, Microsoft’s CTO, had a different take. Nathan said, “Nobody gets a vig on content on the Internet today… The question is whether this will remain true.”

Indeed, putting aside his patent endeavors, Nathan’s reading of the tea leaves at that time was very telling. My contention is that while users indeed won’t pay cash (payments or micropayments) for the activities they perform on the Web, they’re more than willing to pay for their use of the Web with picopayments of personal information.

If you were to ask a non-technical user how much they would expect to be paid for an advertiser to know their home address, how many children they have, or what the ages of their children are, or that they suffer from psoriasis, most people would be pretty uncomfortable (even discounting the psoriasis). People like to assume, incorrectly, that their privacy is theirs, and the little lock icon on their browser protects all of the niblets of data that matter. While it conceptually does protect most of the really high financial value parts of an individual’s life (your bank account, your credit card numbers, and social security numbers), it doesn’t stop the numerous entities across the Web from profiling you. Countless crumbs you leave around the Web do allow you to be identified, and though they may not expose your personal, financial privacy, do expose your personal privacy for advertisers to peruse. It’s easy enough for Facebook (through the ubiquitous Like button) or Google (through search, Analytics, and AdSense) to know your gender, age, marital/parental status, any medical or social issues you’re having, what political party you favor, and what you were looking at on that one site that you almost placed an order on, but wound up abandoning.

If you could truly visualize all of the personal attributes you’ve silently shared with the various ad players through your use of the Web, you’d probably be quite uncomfortable with the resulting diagram. Luckily for advertisers, you can’t see it, and you can’t really undo it even if you could understand it all. Sure, there are ways to obfuscate it, or you could stay off the Web entirely. For most people, that’s not a tradeoff they’re willing to make.

The problem here is that human beings, as a general rule, stink at assessing intangible risk, and even when it is demonstrated to us in no uncertain terms, we do little to rectify it. Free search engines that value your privacy exist. Why don’t people switch? Conditioning to Google and the expected search result quality, and sheer laziness (most likely some combination of the two). Why didn’t people flock from Facebook to Diaspora or other alternatives when Facebook screwed with privacy options? Laziness, convenience, and most likely, the presence of a perceived valuable network of connections.

It’s one thing to look over a cliff and sense danger. But as the dancing pigs phenomenon (or the behavior of most adolescents/young adults, and some adults on Facebook) demonstrates, a little lost privacy here and a little lost privacy there is like the metaphoric frog in a pot. Over time it may not feel like it’s gotten warmer to you. But little by little, we’ve all sold our privacy away to keep the Web “free”.

I’m pretty lucky. For now, this is the view from my office window. You see all those boats? I get to look out at the water, and those boats, all the time (sun, rain, or snow). But those boats… honestly, I see most of those boats probably hundreds of days per year more than their owners do. I’d bet there’s a large number of them that haven’t moved in years.

The old adage goes “The two happiest days in a boat owner’s life are the day he buys it, and the day he sells it.”

All too often, the tools that we acquire in order to solve our problems or “make our lives better” actually add new problems or new burdens to our lives instead. At least that’s what I have found. You buy the best hand mixer you can find, but the gearing breaks after a year and the beaters won’t stay in, so you have to buy a new one. You buy a new task-tracking application, but the act of changing your work process to accommodate it actually results in lower efficiency than simply using lined paper with a daily list of tasks. As a friend says about the whole Getting Things Done (GTD) methodology, “All you have to do is change the way you work, and it will completely change the way you work.”

Perhaps that’s an unfair criticism of GTD, but the point stands for many tools or technologies. If the investment required to take advantage of, and maintain, a given tool exceeds the value returned by it (the efficiency it provides), it’s not really worth acquiring or using.

Technology promises you the world, but then winds up making the best part of using it when you cut yourself taking it out of the hermetically sealed package it was shipped in from China. Marketing will never tell you about the sharp edges, only the parts of the product that work within the narrow scenarios product management understood and defined.

Whether it’s software or hardware, I’ve spent a lot of time over the last year or so working to eliminate tools that fail to make me more productive or reduce day-to-day friction in my work or personal life. Basically looking around, pondering, “how often do I use this tool?”, and discarding it if the answer isn’t “often” or “all the time.” Tangentially, if there’s a tool that I even use at all because it’s the best option, but rarely do so, I’ll keep it around. PaperKarma is a good example of this, because there’s honestly no other tool that does what it does.

However, a lot of software and hardware that I might’ve found indispensable at one point is open for consideration, and I’m tired of being a technology pack-rat. If a tool isn’t something that I really want to (or have to) use all the time, if there’s no reason to keep it around, then why should I keep it? If it’s taking up space on my phone, tablet, or computer, but I never use it, why would I keep it at all?

As technology moves forward at a breakneck pace, with new model smartphones, tablets, and related peripherals for both arriving at incredible speed and with amazing frequency, we all have to make considered choices about when to acquire technology, when to retire it, and when to replace it. Similarly, as software purveyors all move to make you part of their own walled app and content gardens and mimic or pass each other, they also must fight to maintain relevance in the mind of their users every day.

This is why we see Microsoft building applications for iOS and Android, along with Web-based Office applications – to try and address scenarios that Apple and Google already do. It’s why we saw Apple do a reset on the iWork applications, add Web-based versions (to give PC users something to work with). Finally, it’s why we see Google building Hangout plug-ins for Outlook. It’s trying to inject your tools into a workflow where you are a foreign player.

The problem with this is that it is well-intended, but can only be modestly successful at best. As with the comment about GTD, you have to organically become a part of a user’s workflow. You can’t assert yourself into the space with your own workflow and expect to succeed. Great examples of this include Apple’s iWork applications where users on Macs are trying to collaborate with Microsoft Office users on Windows or Mac. Pages won’t seamlessly interact with Word documents – it always wants to save as a Pages document. The end result is that users are constantly frustrated throwing the documents back and forth, and will usually wind up caving and simply using Office.

Tools, whether hardware, or more likely software, that want to succeed over the long run must follow the below “rules of engagement”:

Solve an actual problem faced by your potential users

Seamlessly inject yourself into the workflow of the user any any collaborators the user must work with to solve that problem

Deliver enough value such that users must engage regularly with your application

Don’t create more friction than you remove for your users.

For me, I find that games are easily dismissed. They never solve a real problem, and are an idle-time consumer. Entertain the user or be dismissed and discarded. I downloaded a few photo synchronization apps, in the hopes that one could solve my fundamental annoyances with iPhoto. Both claimed to synchronize all of your photos from your iOS devices to their cloud. The problems with this were two-fold.

They didn’t reliably synchronize on their own in the background. Both regularly nagged me to open the app so it could sync

They synchronized to a cloud service, when I’ve already made a significant investment in iPhoto.

In the end, I stopped using both apps. They didn’t help me with the task I wanted to accomplish, and in fact made it more burdensome for the little value they did provide.

My primary action item out of this post, then, is a call to action for product managers (or anybody designing app[lication]s):

Make your app easy to learn, easy to engage with, friction-free, and valuable. You may think that the scenario you’ve decided to solve is invaluable, but it may actually be nerd porn that most users could care less about. Nerd porn as I define it is features that geeks creating things add to their technology that most normal users never care about (or miss if they’re omitted).

Solving a real-world problem with a general-use application means doing so in a simple, trivial, non-technical manner, and doing it in a way that makes users fall in love with the tool. It makes them want to engage with it as a tool that feels irreplaceable – that they couldn’t live without. When you’re building a tool (app/hardware/software or other), make your tool truly engaging and frictionless, or prepare to watch users acquire it, attempt to use it, and abandon it – and your business potential going with it.

“One of the most important ways to sell a car in China is word of mouth. People are listening to their friends, customers want to know what are the experiences of others with a product. So they are listening carefully. If you do not deliver the highest quality all of the time, your customer satisfaction goes down. Dissatisfied customers always talk about that they are not satisfied. So immediately if you don’t deliver, it would affect sales, [and] sales would be going down.” - Karsten Engel, CEO of BMW China in a CNBC interview.

Thing is, Engel’s point applies whether you’re talking about BMW automobiles in China, or not. His point is spot on regardless of the product or geography. One of the most important ways to sell a product… any product… is word of mouth from satisfied consumers. The way to kill any product is by letting quality or your user experience suffer. Dissatisfied users share their dissatisfaction, and in doing so and can kill your product, your sales, your company, and your job.

“The Sunscreen song”, which is actually named “Everybody’s Free (to Wear Sunscreen)”, by Baz Luhrmann, has been a (potentially odd) source of wisdom for me since it came out in 1998, just a few years after I graduated from college. I listen to the song periodically, and try to share it with my kids who, at 9 and 13, don’t yet “get” it.

The words of the song aren’t those of the artist, and they aren’t Kurt Vonnegut’s either, regardless of what urban legend says. No, the words come from Mary Schmich’s 1997 Chicago Tribune column, “Advice, like youth, probably just wasted on the young.” Much like Desiderata, the article attempted to gently deliver nuggets of wisdom about life to a younger generation – in this case as if Mary were delivering a graduation speech.

For years, I pondered how best to share my thoughts on surviving in the work world. While college prepares us for the world by chucking text at us page by page, it often can’t show us the deeper machinations of how the work world happens.

I present to you a non-conclusive collection of some of my thoughts about making the most of your career.

Ladies and gentlemen of the incoming workforce of 2014;
Job titles are free.

It’s true. You’ll bump into all sorts of people in your career, with lots of fancy, frilly titles. Chief of this. Executive of that. Founder of something you’ve never heard of.
Remember that titles cost nothing to hand out, and business cards are cheap to print.

Every time you go in for an interview, remember you’re interviewing the job just as much as the job is interviewing you. These are the people you’ll be working with as well as the job you’ll be working at.

Always ask, “Why did the last person in this position leave?”

Don’t settle.

Salary isn’t everything, but salary isn’t unimportant. Pats on the back won’t pay the electric bill. But if you’re only working somewhere because the pay is great, you’re cheating your colleagues, your employer, and yourself.

Typecasting isn’t just for actors. Don’t sit still. Always be working to improve yourself and your skills.

An employer who doesn’t value you improving your knowledge through training and doesn’t help you grow doesn’t value you. Don’t value them.

Age doesn’t equate to wisdom, and neither do words printed on a piece of paper in a frame on the wall. Wisdom almost exclusively arrives through experience, and experience results in both failures and successes. Humility comes from living through life’s failures, life’s successes, and learning over time that both can deliver valuable lessons.

“It seemed like a good idea at the time.” Whenever you run across the bad decisions of others who preceded you, shake your head, laugh, and repeat this to yourself. Make a plan and move forward. Don’t complain.

Consider yourself lucky if you ever work somewhere that an executive steps down because they, themselves (not the board) realize that someone else could do the job better than they could.

Murder your darlings. Suffer for your art. Take criticism as sunlight and water, and let it help you grow.

Simplify.

Surround yourself with people who make you wish you were smarter. Bolt from jobs where you’re always the smartest person in the room.

Value people who say “I don’t know” and ask “what do you need?”, guard yourself from people who keep secrets and never ask for help when things are going wrong.

Hiring the right people is hard. Hiring the wrong people is harder.

Firing someone, or laying someone off, is never fun.
Getting fired, or getting laid off, is never fun.

If your product or service isn’t selling, it’s probably not the marketing. It’s probably the product.

Perhaps you’ll find yourself at a startup. In such a situation, beware of strangers offering you sweat equity. Usually you’ll sweat, and they’ll get the equity.

There is no silver bullet.

You’ll probably find several stops along the way where “outsourcing” will be tossed out as the solution to a problem. With a perfect definition of the problem, a clear budget, and good management, it can be. Lacking any one of those three steps, you’ve got two problems instead.

Features, quality, or date. Choose any two.

In your career, you will likely have a spectrum of managers. Some will micromanage you, which is usually a result of their fear of failure and your failure to communicate with them enough to make them comfortable. Other managers will be so remote that you may fear failure, and feel like they aren’t communicating with you enough to make you comfortable. Communicate and collaborate, and it’ll all be fine.

When you find problems, point them out. If others around you tell you to keep it quiet, then they’re part of the problem too. If others above you tell you to keep it quiet, then you’ve got a real problem. Matches can become bonfires if you let them burn long enough.

If you make bad decisions, take the blame. If others make bad decisions, don’t feel the need to blame them.

Always be on the lookout for your next move. You may find yourself in a role that fits you from college to retirement. You may move to a new opportunity every few years. The main thing is to be cognizant that nothing is permanent, nothing is forever, and you should know what you would do the next day if your card-key stops working to unlock the door.

Do something you’re passionate about. If you’re not passionate about the thing you’re doing, you’re probably doing the wrong thing.

Meetings. Emails. Letters. Have a point, or there isn’t one.

Brevity.

Throughout your career, you will run into people whose primary skill is peacock language. They’ll tell you about themselves, strut around trying to look important, and talk in perfectly cromulent phrases. Smile to yourself, and remember that job titles are free.

An amendment: ˆTwo more sentiments I regret not adding to the above:

The unspoken word never needs to be taken back.

Burned bridges are hard to walk across when you need them.

I’m kind of surprised I forgot to put the first one one. It’s one of the earliest lessons I learned about work – through my father’s experiences, specifically around things that were said when leaving a job. Hint: If you think you might regret saying something to someone later, don’t. Just a good rule of thumb for life.

About every two months, a colleague and I travel to various cities in the US (and sometimes abroad) to teach Microsoft customers how to license their software effectively over a rather intense two-day course.

Almost none of these attendees want to game the system. Instead, most come (often repeatedly, sometimes with more people each time) to simply understand the ever-changing rules, how to apply them correctly, and how to (as I often hear it said) “do the right thing”.

Doing the right thing, whether we’re talking licensing, security, compliance, and beyond, often isn’t cheap. It takes planning, auditing, understanding the entire system, understanding an application lifecycle, and hiring competent developers and testers to help build and verify everything.

In the case of software licensing, we’ve generally found that there is no one single person that knows the breadth of a typical organization’s infrastructure. How can there possibly be? But the problem is if you want to license effectively (or build systems that are secure, compliant, or reliable), an individual or group of individuals must understand the entire integrated application stack – or face the reality that there will be holes. But what about the technology, when issues like Heartbleed come along and expose fundamental flaws across the Internet?

The reality is that complex systems are complex. But it is because of this complexity that these systems must be planned, documented, and clearly understood at some level, or we’re kidding ourselves that we can secure, protect, defend (and properly pay for) these systems, and have them be available with any kind of reliability.

Two friends on Twitter had a dialog the other day about responsibility/culpability when open source components are included in an application/system. One commented, “I never understand why doing it right & not getting sued for doing it wrong aren’t a strong argument.”

I get what she means. But unfortunately having been at a small ISV who wound up suing a much larger retail company because they were pirating our software, “doing the right thing” in business sometimes comes down to “doing the cheap, quick, or lazy thing”. In our case, an underling at the retail company had told us they were pirating our software, and he wanted to rectify it. He wanted to do the right thing. Negotiations occurred to try and come to closure about the piracy, but when it came down to paying the bill for the software that had been used/was being used, a higher up vetoed the payment due to us. Why? Simple risk management. Cheaper was believed to be better than the right thing.This tiny Texas software company couldn’t ever challenge them in court and win (for posterity: we could, and we did).

I wish I could say that I was shocked when I hear of companies taking shortcuts – improperly using open-source (or commercial) software out of the bounds of how it is licensed, deploying complex systems without understanding their security threat model, or continuing to run software after it has left support. But no. Not much really surprises me much anymore.

What does concern me, though, is that the world assumed that OpenSSL was secure, and that it had been reviewed and audited by enough skilled eyes to avoid elementary bugs like the one that created Heartbleed. But no, that’s not the case. Like any complex system, there’s a certain point where an innumerable number of people around the world just assumed that OpenSSL worked, accepted it, and deployed it; yet here it failed at a fundamental level for two years.

In a recent interview, the developer responsible for the flaw behind Heartbleed discussed the issue, stating, “But in this case, it was a simple programming error in a new feature, which unfortunately occurred in a security relevant area.”

I can’t tell you how troubling I find that statement. Long ago, Microsoft had a sea change with regard to how software was developed. Key components of this change involved

Developing threat models in order to be certain we understood the types and angles of approach for any threat vectors we could find

Deeper security foundations across the OS and applications

Finally, a much more comprehensive approach to testing (in large part to try and ensure that “simple programming errors in new features” wouldn’t blow the entire system apart.

No, even Microsoft’s system is not perfect, and flaws still happen, even with new operating systems. But as I noted, I find it remarkably troubling that a flaw as significant as Heartbleed can make it through development, peer review, any bounds-checking testing done in the OpenSSL development process, and into release (where it will generally be accepted as “known good” by the community at large – warranted or not) for two years. It’s also concerning that the statement included that the Heartbleed flaw “unfortunately occurred in a security relevant area“. As I said on Twitter – this is OpenSSL. The entire thing should be considered to be a security relevant area.

The biggest problem with this issue is that there should be ongoing threat modeling and bounds checking amongst users of OpenSSL (or any software – open or commercial), and in this case the OpenSSL development community to ensure that the software is actually secure. But as with any complex system, there’s a uniform expectation that this type of project results in code that could be generally regarded as safe. But most companies will simply assume a project as mature and ubiquitous as OpenSSL is so, and do little to no verification of the software, deploy it, and later hear through others about vulnerabilities in the software.

In the complex stacks of software today, most businesses aren’t qualified to, simply aren’t willing to, or aren’t aware of the need to, perform acceptance checking on third-party software they’re using in their own systems (and likely don’t really have developers on staff that are qualified to review software such as OpenSSL. As a result, a complex and fragile system becomes even more complex. And even more fragile. Even more dangerous, without any level of internal testing, these systems of internal and external components are assumed to be reliable, safe, and secure – until time (and usually a highly technical developer being compensated for finding vulnerabilities) show it to not be the case, and then we find ourselves in goose chase mode, as we are right now.

“…there is still something to be said for painting portraits of the people we have loved, for trying to express those moments that seem so inexpressibly beautiful, the ones that change us and deepen us.”

A year or so ago, a good friend from Microsoft told me he was leaving the company, and was pondering a few ideas about what do next. His ideas had one common trait, that he wanted to improve how people got things done, a desire I’ve highlighted in some blog posts before.

Working with a partner, he brainstormed a few ideas, and they focused in on the following use case:

When I post a job to a job board, my inbox gets inundated with resumes. The process of reviewing these is manual and painful, and makes me feel like I’m stuck in the 1990’s. Isn’t there any way to simplify this?

Their answer to that question is here at Jobvention.com, and I think it is pretty impressive (personally, I love apps that streamline tasks that are needlessly complex).

Simplistically, Jobvention enables an easy workflow for a hiring manager to process job candidates. It links together the job posting (from sites like Craigslist) and incoming resumes (from Gmail and Google Apps for Business, currently) together within Jobvention. It also enables bulk upload of resumes, to let you easily process them through Jobvention, and bulk download of any resumes stored in the system for later reference.

When email in your Gmail inbox is synchronized with Jobvention, messages matching the posting are processed, the app links each message to the job posting, and processes all of the resumes, displaying them directly as text within the app. As a result, you don’t have to download them and read them on your desktop, (but you can do so).

From there, candidates can be easily categorized as those you want to thank for their resume but decline, hold for later, or follow up with, according to how well they align with the job posting. Jobvention lets hiring managers send custom email out to categorized candidates, whether to thank them or engage them for follow-up, and shows you the email conversation history from directly within Jobvention (but does not store the messages). See below for a screenshot of Jobvention in action.

Candidate resumes can also be kept for later reference if they might be a good fit for another posting down the line.

Today, Jobvention provides the key workflow stages needed to rapidly process potential job candidates. The service is currently free, and iterating pretty rapidly as they continue to refine the service. Personally, I wish I’d had Jobvention when I was hiring developers in Austin long ago, and look forward to seeing how the team moves it forward.

Imagine I handed you a Twinkie (or your favorite shelf-stable food item), and asked you to hold on to it for almost 13 years, and then eat it.

Aw, c’mon. Why the revulsion?

It’s been hard for me to watch the excited countdown to the demise of Windows XP. Though I did help ship Windows Server 2003 as well, no one product (or service) that I’ve ever worked on became so popular, for so long – by any stretch of the imagination – as Windows XP did.

Yet, here we are, reading articles discussing the topic of what country or what company is now shelling out $M to get support coverage for Windows XP for the next 1, 2, or 3 years (getting financially more painful as the year count goes up). It’s important to note that this is no “get out of jail free” card. Nope. This is just life support for an OS that has terminal zero-day. These organizations still have to plan and execute a migration to a newer version of Windows that isn’t on borrowed time.

Why didn’t these governments and companies execute an XP evacuation plan? That’s a very good question. Putting aside the full blame for a second, there’s a bigger issue to consider.

Go back and think of that Twinkie. Contrary to popular opinion, Twinkies don’t last forever (most sources say it’s about 25 days). Regardless, you get the idea that for most normal things, even shelf-stable isn’t shelf-stable forever. Heck, even most MRE‘s need to be stored at a reasonable temperature and will taste suboptimal after 5 or more years.

While I can perhaps excuse consumers who decide to hang on to an operating system past it’s expiration date, I have a harder time understanding how organizations and governments with any long-term focus sat by and let XP sour on them. It would be one thing if XP systems were all standalone and not connected to the Internet. Perhaps then we could turn a blind eye to it. But that’s not usually the case; XP systems in business environments, which lack most of the security protections delivered later for Windows Vista, 7, and 8.x, are largely defenseless, and will be standing there waiting to get pwned as the vulnerabilities stack up after tomorrow. In my mind, the most dangerous thing is security vendors claiming to be able to protect the OS after April 8. In most cases, that’s an all but impossible feat, and instills a false sense of confidence in XP users and administrators.

The key concern I have is that people are looking at Windows XP as if software dying is a new thing, or something unusual. It isn’t. In fact, tomorrow, the entire spectrum of Office 2003 software (the Office productivity suite, SharePoint, Exchange, and more) also leave support and could have their own set of security compromises down the road. But as I said, this isn’t the first time software has entered an unsupportable realm, and it won’t be the last. It’s just a unique combination as we get the perfect storm of XP’s pervasiveness, the ubiquity of the Internet, and the increasing willingness of bad people to do bad things to computers for money. Windows Server 2003 (and 2003 R2) are next, coming up in July of 2015.

People across the board seem to have this odd belief that when they buy a perpetual license to software, it can be used forever (versus Office 365, which people more clearly understand as a subscription that expires if not paid in an ongoing manner). But no software, even if “perpetually licensed”, is actually perpetual. Like that Twinkie I’ve mentioned a few times, even good software goes bad. As an industry, we need to start getting customers throughout the world to understand that, and get more organizations to begin planning software deployments as an ongoing lifecycle, rather than a one-time expense that is ignored until it goes terminal.